Are you among the relatively small number of organizations that performs email phishing tests against your users? If so, why do you do it? The easy answer is to, of course, to minimize your information security risks. So, you go about testing your users’ gullibility, train them on why they should not respond to such emails, and you’re done, right? In a nutshell, yes. However, if you are going to get the most out of your email phishing testing you need to have specific end goals in mind. There is likely more testing that needs to be done.

A common scenario I see is email phishing tests being run without understanding the expectations of those involved. Similar to how many organizations run vulnerability scans in the name of compliance – merely going through the motions – without any true buy-in, oversight, or actionable outcomes, phishing for the sake of checking a box does no one any good. What does management want? Who knows. What is the security or compliance team going to get out of this? That hasn’t been defined. What are customers or business partners expecting? Who knows. You may run an email phishing campaign against your users only to find out that the security operations team detected the emails and sent out a notification everyone not to click the link or provide information. Sure, there was an outcome: security tools and staff members did their thing but your users were not even involved. Is that a true phishing test? Probably not.

What happens in a real-world scenario where all of your users (or a targeted subset of users) do receive phishing emails? Are they going to open them? Are they going to click links or run attachments? Will they provide sensitive information or allow malware to be installed? You – and management – may be relying on security staff and technologies to help prevent such attacks. How given the number of emails people receive and the savviness of criminal hackers, the odds are good that users will end up being involved in a phishing attack and have to make security choices on your behalf. That email phishing campaign that you ran previously showing that tools and staff members are on top of things will do you no good in this situation.

It doesn’t matter whether you do your email phishing manually using your own internal set up, i.e. email server and Web server, or whether you’re using a commercial phishing tool such as LUCY, you need to define your testing parameters as well as set expectations for desired outcomes – in advance. What do you really want to get out of your email phishing testing? Maybe it actually is to test the quality of your security tools or the alertness of security staff members. But that’s only half the equation. You have to look at the bigger picture and bring your users and any other variables into the fray. Otherwise, you’re likely not going to get what you need out of this exercise and you’ll end up creating a false sense of security for this threat making matters worse of the long haul.